Surveillance in Startup Land

>> HEY, HEY, HEY, HEY. SO STARTUPS PUT A TON OF WORK INTO BUILDING THEIR PRODUCTS, MOST OF THE TIME THOSE PRODUCTS ARE POWERED BY DATA. AND THERE IS ACTUALLY A BUNCH OF THINGS THAT CAN SCREW YOU OVER. BUT ONE FOR SURE IS A LAPSE IN CYBERSECURITY. SO OUR NEXT PANELISTS ARE GOING TO TALK ABOUT WHAT'S OUT THERE, COMING AT YOU, AND THE BEST WAYS TO AVOID THAT LAPSE. PLEASE WELCOME TO THE STAGE FROM GOOGLE, MADDIE STONE AND FROM THE ACLU JENNIFER GRANICK AND YOUR MODERATOR ZACH WHITAKER. WARM WELCOME, PLEASE. >> SO NICE TO BE BACK AFTER TWO YEARS AWAY. THANK YOU SO MUCH FOR JOINING US. MADDIE AND JENNIFER. >> THANKS. >> EVERY STARTUP IN THIS AUDIENCE AND WATCHING LIVE HAS SOMETHING IN COMMON. THAT'S SURVEILLANCE. SOME OF YOU ARE ACTIVELY DEFENDING AGAINST IT. AND SOME OF YOU ARE BLISSFULLY UNAWARE YOU'RE SLEEPWALKING YOUR STARTUPS INTO BECOMING EXTENSIONS OF THE NEXT

SURVEILLANCE STATE. SO THIS TALK MIGHT SCARE THE SHIT OUT OF SOME OF YOU. I APOLOGIZE IN ADVANCE. THANK YOU FOR BEING HERE. JENNIFER, I WOULD LOVE TO START WITH YOU. AS THE ACLU'S SECURITY AND SURVEILLANCE COUNSEL, YOU FOLLOW THE PUBLIC SENTIMENT WITH REGARD TO PRIVACY. LOOKING AROUND US, WE HAVE DEVICES ENCRYPTED, SOME MESSAGES ARE ENCRYPTED. HOW DID WE GET HERE? WHY HAS THERE BEEN SUCH AN INTENSE TREND TOWARD PRIVACY IN RECENT YEARS AND ESPECIALLY THE LAST FEW MONTHS? >> YEAH, I MEAN, PRIVACY IS ALWAYS BEEN REALLY IMPORTANT FOR A VARIETY OF REASONS, STEMMING FROM EITHER PROTECTING YOURSELF FROM IDENTITY THIEVES OR HACKERS TO PROTECTING YOURSELF FROM OVERZEALOUS LAW ENFORCEMENT HERE IN THIS COUNTRY AND IN OTHER COUNTRIES. BUT I THINK MORE AND MORE PEOPLE ARE REALIZING HOW IMPORTANT PRIVACY IS IN THE POST ROE V. WADE WORLD NOW THAT THE DOBBS DECISION SKAMCAME DOWN. PEOPLE ARE REALIZING THE DATA WE

PRODUCE CAN BE USED TO GO AFTER AND PROSECUTE PEOPLE FOR EXERCISING THEIR RIGHT TO GET AN ABORTION. AND SO PEOPLE ARE REALLY SENSITIVE NOW, LIKE ALL THIS DATA IS OUT THERE ABOUT ME. AND IT IS NICE FOR THOSE OF US WHO HAVE BEEN WORKING ON PRIVACY FOR A LONG TIME BECAUSE IT FEELS LIKE PEOPLE FINALLY APPRECIATE US. SO IT IS UNFORTUNATE THIS HAS TO BE IT. BUT IT IS REALLY GREAT THAT THE PUBLIC IS BECOMING SENSITIZED TO THE PROBLEM OF HAVING OUR DATA JUST OUT THERE. >> WE HAVE SO MANY EXAMPLES OF THAT COMING ALONG THE WAY AS WELL. MADDIE, WELCOME. U.S. SECURITY RESEARCHER AT GOOGLE'S PROJECT ZERO TEAM WHERE YOU INVESTIGATED HOW SECURITY FOLKS ARE EXPLOITED BY SPYWARE AND OTHER BAD ACTORS. FOR THOSE WATCHING AND IN THE AUDIENCE TODAY, HOW MUCH DOES CYBERSECURITY FACT NOR INTO AGAINST DEFENDING AGAINST SURVEILLANCE? >> IT IS EVERYTHING. IF THEY CAN'T ACCESS YOUR DATA,

THEY CAN'T GAIN ACCESS TO THE CAMERA, THE MICROPHONE, ALL OF THE DIFFERENT PARTS THAT COULD BE USED TO SURVEIL, THEN YOU CAN'T REALLY DO SURVEILLANCE AT THIS EASY ACROSS THE WORLD, ACROSS THE CITY, NOT BEING IN PHYSICAL PROXIMITY. SO SECURITY CAN ADDRESS ALL THOSE CONCERNS. AND ON PROJECT ZERO, OUR GOAL IS MAKE ZERO DAY HARD. THAT DOESN'T SAY MAKE ZERO DAY EXPLOITS WHICH ARE THE EXPLOITS THAT ARE TARGETING THE VULNERABILITIES NO ONE YET KNOWS EXISTS AND ARE GENERALLY USED BY THE COMMERCIAL SURVEILLANCE COMPANIES OR STATE SPONSORED ACTORS. WE'RE NOT SAYING MAKE ZERO DAY NONEXISTENT. WE'RE SAYING MAKE ZERO DAY HARD. MEANING THAT IT IS SO COSTLY, SO — REQUIRES SO MUCH EXPERTISE, REQUIRES SUCH A TIME INVESTMENT FROM THESE FOLKS WHO WANT TO DO SURVEILLANCE THAT IT IS REALLY NOT WORTH IT TO GO AFTER FOLKS PHONES OR AFTER COMPANIES STORING DATA OR THINGS LIKE THAT. THAT'S REALLY WHAT IT IS. CHANGING THIS BALANCE OF THE

RETURN ON INVESTMENT AND RIGHT NOW IT IS JUST TOO EASY. >> CAN I JUST ADD TO THAT? I THINK TO ADD TO WHAT MAGGIE IS SAYING, OUR LEGAL REGIME IS NOT THAT PROTECTIVE. IT ACTUALLY MAKES IT QUITE EASY FOR LAW ENFORCEMENT AND FOR FOREIGN INTELLIGENCE AGENCIES, NEVER MIND FROM OTHER COUNTRIES OTHER THAN THE U.S. TO GET THIS DATA. SO REALLY SECURITY AND TECHNOLOGY ARE THE FIRST AND BEST STEP TOWARD PROTECTING OUR PRIVACY. >> SO, IS DEFENDING AGAINST POWERFUL ADVERSARIES LIKE GOVERNMENT AN IMPOSSIBLE TASK? IS THERE HOPE? >> YES, I WOULD NOT BE WAKING UP AND DOING MY JOB EVERY DAY IF I DID NOT THINK WE COULD MAKE A DIFFERENCE. THERE ARE A LOT OF PRACTICAL AND TANGIBLE ACTIONS WE CAN TAKE THAT WILL ACTUALLY MAKE IT REALLY, REALLY DIFFICULT FOR FOLKS TO BE ABLE TO SAY, HEY, I WANT TO SCAN ALL THESE PEOPLE'S PHONES, AND SEE WHO IS IN THIS LOCATION AT THIS TIME, LET'S CHECK WHO IS SENDING WHATSAPP MESSAGES TO EACH OTHER BY

RAISING BASIC LEVELS OF SECURITY, THINGS LIKE, YOU KNOW, ARE PEOPLE APPLYING PATCHES, IS TWO FACTOR AUTHENTICATION, YOU DON'T JUST PUT IN ONE PASSWORD THAT SOMEONE ACTUALLY HAS ANOTHER TOKEN OR PIECE OF INFORMATION THAT IS ADDED TO IT, ALL THESE BASIC SORT OF SECURITY HYGIENE THINKS THAT WE HAVE BEEN TALKING ABOUT FOR DECADES DIRECTLY MAKES IT HARDER FOR THESE NATION STATE AND VERY SOPHISTICATED ADVERSARIES. THE THING IS WHEN I STUDY ZERO DAYS, THE MOST SOPHISTICATED TYPE OF SECURITY ATTACK SOMEONE CAN USE, AND IT IS INTERESTING RIGHT NOW BECAUSE THOSE ARE BEING USED IN HIGHLY IMPACTFUL SOCIETAL WAYS OF TARGETING POLITICIANS AND JOURNALISTS AND HUMAN RIGHTS DEFENDERS, BUT AS LONG AS OTHER PEOPLE ARE ABLE TO USE LESS SOPHISTICATED MEANS, THAT'S WHY WE'RE NOT TALKING ABOUT THESE ZERO DAYS AS A BEING USED BY CRIME WARE GROUPS OR, YOU KNOW, A DIME A DOZEN. THEY CAN USE EASIER THINGS. BY CONTINUING TO RAISE THAT BAR, WE CAN MAKE A BIG DIFFERENCE AND MAKE THEIR LIVES REALLY, REALLY HARD.

>> SO THERE IS HOPE. THAT'S GOOD TO KNOW. AND SO I WANT TO FOCUS ON FOR A SECOND WHY WE'RE TALKING ABOUT THIS TODAY AND THE HARMS THAT SURVEILLANCE HAS ON PEOPLE. AND, JENNIFER, WHY SHOULD THE COMPANY HERE BE THINKING ABOUT SURVEILLANCE AND WHAT IS THE CONSEQUENCES IF THEY DON'T? >> I MEAN, I THINK THERE IS A FEELING THAT, WELL IF I'M NOT DOING ANYTHING WRONG, THEN I DON'T HAVE ANYTHING TO WORRY ABOUT. AND THEN THE CORRESPONDING FEELING, WELL, YOU KNOW, THIS DATA I COLLECT ISN'T DANGEROUS TO MY USERS. AND THAT'S JUST NOT TRUE ANYMORE IF IT EVER WAS. WE MENTIONED THAT ABORTION EXAMPLE, BUT, YOU KNOW, FIRST OF ALL, A TON OF THINGS ARE ILLEGAL THAT YOU DON'T EVEN REALIZE ARE ILLEGAL. IT MAKES IT IMPOSSIBLE TO PUT PEOPLE IN RISK OR THE FEAR OF RISK BASED ON WHAT THE INFORMATION IS THAT IS OUT THERE. AND THEN THE OTHER, YOU KNOW, SAYING IS IF YOU GIVE ME SIX LINES WRITTEN IN THE HAND OF AN

INNOCENT MAN, I'LL FIND ENOUGH TO HANG HIM. AND THAT IS TOTALLY TRUE. AND JUST LUKE A VERY QUICK STORY. I HAD A FRIEND WHO HAD A CLIENT WHOSE CLIENT WITNESSED A MURDER. BUT THE POLICE DIDN'T BELIEVE HE WAS A WITNESS. THEY THOUGHT THAT HE WAS A MEMBER OF THE GANG INVOLVED IN THE MURDER. AND THEY GOT TEN YEARS OF HIS FACEBOOK HISTORY, ALL THESE PHOTOS AND BASICALLY JUST CHERRY PICKED OUT OF THE THOUSANDS AND THOUSANDS OF PHOTOS THE ONES WHERE HE WAS WEARING RED AND THEN SAID, OKAY THIS MEANS HE WAS IN THE GANG. SO, YOU KNOW, EVEN THE MOST INNOCENT OF INFORMATION IN THE WRONG HANDS CAN BE MISUSED. >> SO LET'S TAKE A LOOK, A CLOSER LOOK AT SOME OF THE HEADLINES WE HAVE SEEN RECENTLY. THESE ARE JUST A FEW BIG EXAMPLES OF SURVEILLANCE YOU MIGHT HAVE SEEN IN THE PAST FEW YEARS. LET'S STICK WITH SPYWARE OR SURVEILLANCE BY ZERO DAY WHERE SECURITY FLAWS ARE EXPLOITED TO SPY ON PEOPLE.

LET'S START THERE. MADDIE, AS YOU SAID, PART OF YOUR JOB IS TRYING TO MAKE IT HARDER FOR BAD ACTORS TO EXPLOIT ZERO DAYS. YOU DID MENTION A LITTLE EARLIER, COULD YOU GIVE US A LITTLE EXAMPLE OF WHAT IS A ZERO DAY AND WHY DO WE CALL THEM THAT? >> A ZERO DAY IS A BUG, A MISTAKE, A VULNERABILITY IN THE CODE BASE THAT DEFENDERS DON'T YET KNOW EXISTS. WE DON'T KNOW ABOUT THAT SPECIFIC ONE. SO AN IN DAY VULNERABILITY, THE OPPOSITE OF ZERO DAY, IS ONE WHERE IT HAS BEEN REPORTED TO THE VENDOR OR SOMEONE FOUND IT AND THERE IS A PATCH YOU CAN GO AND DOWNLOAD. THERE IS ANTIVIRUS SIGNATURES TO BE ABLE TO FIND WHEN SOMEONE IS TRYING TO EXPLOIT IT. THE ZERO DAYS ARE THE ONES THAT WE ALL KNOW THERE IS MISTAKES IN CODE, BUT THEY'RE THE ONES THAT AN ADVERSARY OR ATTACKER HAS FOUND BUT THE DEFENDERS AND THE SECURITY TEAMS DON'T YET KNOW AND SO AS TEAMS WORKING ON THE ZERO DAY AREA, WE'RE TRYING TO FIND THINGS THAT WE DON'T KNOW

WHAT THEY LOOK LIKE. AND THAT'S REALLY WHY THEY'RE SO POWERFUL IS BECAUSE YOU CAN'T HAVE THESE, YOU KNOW, RUNNING YOUR ANTIVIRUS SIGNATURES OR THINGS LIKE THAT TO PROTECT YOURSELF. AND ZERO DAY TERM COMES FROM THERE HAS BEEN ZERO DAYS SINCE IT HAS BEEN KNOWN. >> SO, GOVERNMENTS ARE KNOWN FOR AMONG MANY THINGS, BUT THE EXCESSIVE USE OF SURVEILLANCE. WHAT IS THE RISKS AND CONSEQUENCES OF GOVERNMENTS USING UNDISCLOSED ZERO DAYS? >> YEAH, SO, TO BREAK IT DOWN, YOU KNOW, EVEN BIGGER THAN THAT IS MOST ORGANIZATIONS OR INDIVIDUALS TODAY PROBABLY DO NOT NEED TO WORRY ABOUT BEING INDIVIDUALLY TARGETED WITH ZERO DAY EXPLOITS. HOWEVER, THEY IMPACT EACH AND EVERY ONE OF US WHEN OUR POLITICIANS AND POLITICAL SYSTEMS ARE BEING HACKED WITH THESE, WHEN OUR CRITICAL INFRASTRUCTURE, WHEN MINORITY POPULATIONS ARE BEING MASS EXPLOITED WITH THIS TO MONITOR THEIR MOVEMENTS, JOURNALISTS, HUMAN RIGHTS DEFENDERS, THAT IMPACTS US ALL IN THIS VERY

LARGE SOCIETAL LEVEL. AND SO WE NEED TO ALL CARE ABOUT THESE THINGS, NOT JUST BE, LIKE, OH, YEAH, THERE WAS A ZERO DAY IN BLAH, BLAH, BLAH PHONE OPERATING SYSTEM. BUT WE DON'T REALLY NEED TO PAY THAT MUCH ATTENTION BECAUSE IT WAS ONLY USED AGAINST THIS ONE GROUP. NO, WE ALL NEED TO CARE WHEN THE MOST VULNERABLE AMONG US ARE BEING TARGETED, AND FROM SELFISHLY IT AFFECTS US ALL. >> DOES IT FROM A LEGAL POINT OF VIEW ALSO SET A BAD PRECEDENT IF GOVERNMENTS ARE USING ZERO DAYS, ALMOST LIKE VULNERABLE FOR THEM, VULNERABLE FOR US, IT APPLIES TO GOVERNMENTS ALL THE TIME, BUT SHOULD IT APPLY TO THEM? >> IT IS NOT SO MUCH A FAIRNESS THING, BUT IT IS A QUESTION OF WHAT DO WE WANT OUR GOVERNMENT TO BE INCENTIVIZED TO DO? AND REALLY THE GOVERNMENT SHOULD BE INCENTIVIZED TO TRY TO PROTECT US FROM ATTACKERS, PROTECT US FROM HACKERS. BUT WHEN THE GOVERNMENT — WHEN GOVERNMENTS USE ZERO DAYS, THEY HAVE AN INVESTMENT IN OUR COMMUNICATIONS TECHNOLOGY REMAINING INSECURE.

SO INSTEAD OF HAVING A DEFENDER MENT MENTALITY, THEY HAVE AN OFFENDER MENTALITY AND THAT RESULTS IN INSUFFICIENT INVESTMENT, INSUFFICIENT EFFORTS TO TRY TO HELP PEOPLE SECURE THEMSELVES. AND IF A GOVERNMENT CAN GET IN, THEN OTHER ACTORS CAN GET IN AS WELL. SO IT IS REALLY DANGEROUS JUST TO HAVE THE GOVERNMENT NOT ON YOUR SIDE. >> TO ADD ON TO THAT, AS JENNIFER WAS SAYING, WHERE IT IS LEAVING THIS HOLE, THESE VULNERABILITIES IN ZERO DAY EXPLOITS ARE NOT A TANGIBLE THING THAT ONLY ONE PERSON CAN HAVE. WHAT WE SEE AS A TEAM WHO ALSO TRIES TO MIMIC THE BEHAVIORS OF ATTACKERS AND FINDING THESE ZERO DAY VULNERABILITIES AND REPORTING THEM PUBLICLY IS THAT THERE IS A HUGE AMOUNT OF BUG COLLISIONS, MEANING WE'RE FINDING THE SAME BUGS AS OTHER SECURITY RESEARCHERS AS ALSO THE OFFENSIVE SURVEILLANCE VENDORS AND PEOPLE WHO SELL EXPLOITS. >> SO HOW DO YOU MAKE IT MORE DIFFICULT FOR SURVEILLANCE ACTORS LIKE NATION STATES TO

EXPLOIT ZERO DAYS? >> WELL, SO ONE IS WHEN A VULNERABILITY IS REPORTED TO YOU, PATCH IT AS QUICKLY AS POSSIBLE, BUT ALSO USE THAT INFORMATION TO FIGURE OUT WHERE ALL THE OTHER HOLES ARE IN YOUR SYSTEM. SO, TALKING TO SOME OF THE FOLKS WHO WORK IN THE OFFENSIVE EXPLOIT MARKET CURRENTLY, AND JUST FROM THE DATA AND COLLECTING OF ALL OF THE ZERO DAYS BEING ACTIVELY EXPLOITED IN THE WILD IS THAT ATTACKERS ARE HAVING SUCCESS RIGHT NOW BY USING VARIANTS OF ZERO DAY VULNERABILITIES THAT ARE ALREADY PUBLICLY KNOWN. SO BASICALLY SOMEONE REPORTS THE VULNERABILITY AT — IN THE CODE BASE, THEY PROVIDE A PROOF OF CONCEPT, WELL, THAT SAME PATTERN EXISTS ELSEWHERE IN THE CODE BASE, YET THE VENDOR ONLY FIXED THAT ONE PLACE. AND SO ALL THE ATTACKER HAS TO DO IS PLUG AND PLAY, FIND THAT EXACT SAME PATTERN SOMEWHERE ELSE AND THAT'S WHAT PEOPLE ARE DOING NOW, IN THE FIRST HALF OF THIS YEAR, 2022, MORE THAN 50% OF THE IN THE WILD ZERO DAYS, THE ONES THAT WERE BEING

ACTIVELY EXPLOITED WERE VARIANTS OF THINGS WE HAVE SEEN IN THE LAST TWO OR THREE YEARS. >> AND HOW MUCH DOES COMMUNICATION AND TRANSPARENCY PLAY INTO THAT? YOU'RE VERY VOCAL ABOUT THESE THINGS. YOU HAVE A PUBLIC SPREADSHEET, BUT HOW MUCH DOES COMMUNICATION AND BEING PUBLIC AND TRANSPARENT AND EXPLAINING THE THINGS TO THE PUBLIC AND THE PUBLICATIONS AND SO ON HELP? >> IT IS ONE OF THE BIGGEST THINGS I NEED, WE NEED TO BE FOCUSED ON AND ONE REASON WHY I'M OPTIMISTIC. FOR THE LAST THREE YEARS, RALLY PUSHING ON THE FACT THAT, HEY, IF YOU'RE A VENDOR, WHENEVER YOU'RE ISSUING A SECURITY BULLETIN AND PATCH IF YOU HAVE REASON TO BELIEVE THAT IT IS BEING ACTIVELY EXPLOITED IN THE WILD, DISCLOSE THAT TO EVERYONE. THAT IT IS NOT JUST ANOTHER VULNERABILITY. AND THE REASON BEHIND THAT IS, ONE, FOR TARGETED POPULATIONS EVEN IF THERE MIGHT NOT BE EVIDENCE THEY SPECIFICALLY WERE TARGETED, YOU'RE GIVING THEM A PIECE OF INFORMATION TO TAKE

THEIR OWN AUTONOMY AND MAKE THEIR OWN CHOICES OF, OKAY, I KNOW THESE TYPES OF ACTORS HAVE TARGETED ME IN THE PAST, THEY MAY NOW, I NEED TO ASSUME EVERYTHING THAT HAPPENED ON THAT APP OR THAT DEVICE WAS COMPROMISED. AND THAT CAN PROVIDE MORE PHYSICAL SAFETY. AS AN INDUSTRY PERSPECTIVE, IT MEANS WE CAN ALL LEARN FROM EACH OTHER, WE CAN FIGURE OUT WHAT THE CHAINS LOOK LIKE, BECAUSE TODAY ZERO DAY CAPABILITY, ALMOST ALWAYS HAS TWO OR THREE EXPLOITS CHAINED TOGETHER. AND SO THAT OFTEN MEANS YOU'RE TALKING THROUGH DIFFERENT PRODUCTS. IT MIGHT START ON CHROME AND THEN GO TO WINDOWS, IT MIGHT GO MESSAGING APP TO ANOTHER APP ON THE PHONE TO FINALLY AN ANDROID PRIVILEGE ESCALATION. SO THESE CAPABILITIES ARE COLLABORATIVE, THAT MEANS WE NEED TO ALL BE WORKING TOGETHER. 2021 WAS THE MOST ZERO DAYS WE HAVE EVER SEEN IN THE WILD, AND I THINK THAT'S ACTUALLY BECAUSE OF THE TRANSPARENCY IN THE INDUSTRY. BOTH ANDROID AND APPLE BEGAN

PUBLISHING THIS INFORMATION WHEN THEY KNEW OF ACTIVE EXPLOITATION HAPPENING AND THAT GAVE US SO MUCH MORE VIEW INTO WHAT ARE THESE ATTACKERS ACTUALLY DOING. SO THAT WE CAN HAVE THIS GROUND TRUTH WHEN AS DEFENDERS, YOU KNOW, IT HELPS US TO BE ABLE TO MAKE THOSE CHOICES OF WHERE DO WE INVEST, WHAT IS ACTUALLY GOING MAKE IT HARDER FOR THEM? >> YEAH. I WANT TO TALK ABOUT ANOTHER KIND OF PERVASIVE TRACKING. ONE MAY HIT CLOSE TO HOME. DATA BROKERS, THE COMPANIES THAT COLLECT AND BUY THE GRANULAR LOCATION DATA FROM SMARTPHONE APPS, FROM BILLIONS OF DEVICES AROUND THE WORLD. AND THEN SELL IT TO GOVERNMENTS AND MILITARIES. SO WHY WOULD GOVERNMENTS WANT THAT DATA, WHAT IS SO VALUABLE FROM LOCATION DATA FROM CELL PHONE APPS. >> IT IS EXTREMELY SENSITIVE. WHETHER YOU ARE LOOKING FOR IT EN MASSE AS A BULK COLLECTION, AND YOU WANT TO SEE WHERE POPULATIONS ARE MOVING, THAT WAS SOMETHING THAT THE GOVERNMENT — GOVERNMENTS WERE INTERESTED IN IN THE EARLY DAYS OF COVID,

THERE WERE QUARANTINES OR, YEAH, SHELTER IN PLACE TYPE ORDERS, LIKE OUR PEOPLE LEAVING BROOKLYN AND COMING TO MANHATTAN, FOR EXAMPLE, ARE PEOPLE CROSSING THE BORDER AND GOING TO ABORTION CLINICS? IN AGGREGATE, WHO IS AT THE BANK ROBBERY, AT THE BLACK LIVES MATTER PROTEST, AT JANUARY 6th, THIS INFORMATION IN BULK IS EXTREMELY — IS EXTREMELY REVEALING, AND IT ALSO, YOU KNOW, LOCATION HISTORY ALLOWS YOU TO TRACK AN INDIVIDUAL OR INDIVIDUALS, THEY WENT TO THE AA MEETING, THEY WENT TO THE MOSQUE, THEY WENT TO THEIR PARENT'S HOUSE, THEY WENT — THAT SORT OF THING. SO THE INFORMATION IS VERY REVEALING. AND ONE OF THE GREAT THINGS ABOUT BUYING IT FROM A DATA BROKER IS YOU DON'T HAVE TO GO GET A WARRANT FROM A COURT. SO THERE IS NO POINT WHERE THE LAW ENFORCEMENT AGENT HAS TO PROVE THAT THE NEED FOR THE INFORMATION EXISTS. IT IS REALLY JUST WHAT THEY WANT. >> SO THERE IS AN SASSUMPTION I YOU HAVE NOTHING TO HIDE, THERE

IS NO FEAR FROM THE GOVERNMENT, BUT WE ALSO HAVE SEEN THAT'S NOT NECESSARILY THE CASE ON SEVERAL, YOU KNOW, MANY CASES AND WE ALSO HAVE SEEN THE U.S. GOVERNMENT BUYING BULK LOCATION DATA FROM DATA BROKERS. HOW MUCH OF A THREAT ARE DATA BROKERS? >> I THINK DATA BROKERS ARE A BIG THREAT BECAUSE IT IS A WAY OF CIRCUMVENTING THE EVEN MODEST LEGAL PROTECTS THAT WE HAVE FOR THIS DATA. AND IT IS REALLY NOT TRANSPARENT. WE DON'T KNOW HOW MUCH DATA LAW ENFORCEMENT GETS FROM DATA BROKERS, WE DON'T KNOW HOW THEY'RE USING THAT DATA, WE DON'T KNOW WHAT THEY'RE — HOW THEY KEEP IT. AND, YOU KNOW, SOMETIMES WE NEVER KNOW BECAUSE THERE IS NO CRIMINAL CHARGES, THEY'RE FOLLOWING PEOPLE WHO ARE, YOU KNOW, INNOCENT , FOR SOME REASO. OR THERE IS PARALLEL CONSTRUCTION WHERE LAW ENFORCEMENT CAN GO AND PRETEND THEY FOUND THE INFORMATION THROUGH A LEGITIMATE PATH, EVEN THOUGH THEY FOUND IT THROUGH A DIFFERENT WAY THAT THEY WANT TO

KEEP SECRET. THERE IS ALL KINDS OF DOCTRINES THAT LAW ENFORCEMENT USES IN ORDER TO KEEP SECRET WHAT THEY'RE ACTUALLY DOING IN TERMS OF SURVEILLANCE. >> SO A LOT OF STARTUPS USE SDKs AND THEY USE ALL KINDS OF PLUG INS AND CODE TO EXTRACT LOCATION DATA AND GIVE THAT TO DATA BROKERS. PART OF A WAY TO MAKE MONEY. AND A LOT OF DATA BROKERS OFFER MONEY TO DEVELOPERS FOR LOCATION DATA. BUT IT IS NOT US DOING THE SURVEILLANCE, THEY MIGHT SAY. WHO IS RESPONSIBLE ULTIMATELY FOR APPS AND SERVICES THAT GIVE DATA TO DATA BROKERS? WHO IS RESPONSIBLE FOR THAT? >> THE APP DEVELOPER. ANY OF US WHO ARE WRITING SOFTWARE AND THEN DELIVERING IT TO CUSTOMERS ARE RESPONSIBLE FOR WHATEVER CODE WE'RE GIVING TO OUR CUSTOMERS AND THAT MEANS LOOKING AT LIBRARIES, LOOKING AT THE SDKs, ALL OF THOSE DIFFERENT PIECES, IF YOU'RE PUTTING IT OUT THERE, THEN YOUR USERS CAN BE HARMED AND THAT'S ON EACH OF US TO EVALUATE WHAT ARE WE HANDING OVER TO THEM, AND THAT COMES

BOTH WITH THE DATA COLLECTION ALONG WITH, YOU KNOW, VULNERABILITIES TOO, ARE YOU MAKING YOUR USERS MORE VULNERABLE BY USING THIS LIBRARY, NOT TAKING UPDATES AND THINGS LIKE THAT. AND AN EXAMPLE IS BACK PRIOR TO PROJECT ZERO I WORKED ON THE ANDROID MALWARE TEAM AND WE DISCOVERED THIS GIANT BOTNET THAT WAS ON MILLIONS OF DEVICES AROUND THE WORLD, AND IT GOT ON ALL OF THOSE DEVICES BECAUSE THEY HAD SOLD THEMSELVES AS A MONETIZATION SDK TO ALL THE APP DEVELOPERS. THEY DID LOTS OF DIFFERENT TYPES OF THINGS TO MONETIZE ITSELF, SUCH AS NOT AS COMMON HERE IN THE U.S., BUT PREMIUM SMS FRAUD WHERE IT WOULD SEND A BUNCH — IT WOULD REGISTER PREMIUM NUMBER, SEND A BUNCH OF THESE TEXT MESSAGES AND THAT MONEY COMES FROM THE USER'S BILL. SO THINGS LIKE THAT OF, YEAH, THE APP DEVELOPERS WERE LIKE IT IS A MONETIZATION SDK BUT IT IS ACTIVELY STEALING MONEY FROM EACH OF YOUR USERS. >> SO HISTORICALLY DATA IS MONEY AND SELLING ACCESS TO USERS LOCATION DATA OR ANY DATA IS HOW

A LOT OF PEOPLE MAKE MONEY. HOW MUCH SURVEILLANCE OR HOW MUCH SURVEILLANCE OR AS A WHOLE OR EVEN ON A GRANULAR LEVEL CAN BE FIXED BY NEW BUSINESS MODELS? >> I THINK THE BUSINESS MODEL IS A REALLY IMPORTANT PIECE OF THE VULNERABILITY. LIKE, IF YOU DON'T KNOW HOW YOU'RE GOING TO MAKE MONEY, THAT'S A PROBLEM. BECAUSE EVENTUALLY INVESTORS OR IF YOU GO PUBLIC AND SELL SHARES, THERE IS GOING TO BE SOME POINT AT WHICH SOMEBODY IS, LIKE, OKAY, WHAT DO YOU HAVE TO MAKE MONEY OFF OF, IF ALL YOU HAVE USER DATA, THERE IS HUGE PRESSURE TO DID THAT. I THINK THAT YOU KNOW, THE QUESTION IS HOW — WHAT KIND OF ADVERTISING MODEL OR OTHER MODEL CAN YOU DO WITHOUT COLLECTING SO MUCH PERSONALLY IDENTIFIABLE INFORMATION THAT CAN BE TRACED BACK TO A REAL PERSON? SO I THINK THERE IS SOME TECHNOLOGICAL APPROACHES WHICH COULD BE LIKE AN AN ITEMIZATION OR THERE IS A LOT OF TECHNOLOGIES WHERE YOU CAN DO DATA ANALYSIS WITHOUT HAVING THE INFORMATION BE AGGREGATED OR BE IDENTIFIED.

AND I THINK THAT'S REALLY IMPORTANT. OBVIOUSLY YOU CAN HAVE A PAID SUBSCRIPTION MODEL, THAT WORKS FOR SOME THINGS, NOT FOR EVERYTHING, AND I DON'T THINK EVERYBODY SHOULD NECESSARILY HAVE TO PAY, BUT WE NEED TO THINK CAREFULLY ABOUT HOW WE COLLECT AND ANALYZE THE DATA LEST YOU END UP BEING PART OF THIS SURVEILLANCE CAPITALISM, YOU KNOW, POLLUTION OF DATA THAT'S OUT THERE. >> SO LET'S STAY WITH THAT FOR A MOMENT. LET'S TRY TO END ON A POSITIVE NOTE. LET'S SAY YOUR BUSINESS RELIES ON USER DATA, A LOT OF COMPANIES DO, HOW WOULD YOU DEFEND THAT DATA? WHAT ARE SOME THINGS THAT STARTUPS CAN DO TO PROTECT THEIR USERS' DATA? MADDIE, YOU TOUCHED ON THIS AT THE START. >> REALLY EVALUATING YOUR SECURITY HYGIENE, SO, THERE IS A LOT OF DOCUMENTS OUT THERE NOW AD A A DAYS, EVEN LIKE CISA, IS THE SAME PASSWORD USED ELSEWHERE?

IF YOU'RE BUYING PRODUCTS FROM SOME PEOPLE, ARE YOU CHANGING THAT. UNTIL YOU GET THOSE, I WOULD SAY YOU DON'T NEED TO QUITE WORRY FULLY ABOUT THE ZERO DAY PROBLEM. BECAUSE BY FORCING PEOPLE TO USE ZERO DAYS, THAT'S — THAT IS BETTER THAN THEM BEING ABLE TO USE CHEAPER TECHNIQUES. BUT ALSO, ONE OF THE WAYS THAT I DON'T THINK A LOT OF PEOPLE THINK ABOUT THAT THEY CAN MAKE AN IMPACT IS A LOT OF COMPANIES AND STARTUPS ARE BUYING SOFTWARE OR PRODUCTS OR LAPTOPS, COMPUTERS, FROM OTHER BIG COMPANIES TO USE. AND SO THEY'RE ACTUALLY — THERE IS PURE IN THAT TO GET CHANGES IN THE INDUSTRY THAT WE'RE LOOKING FOR OF HOW OFTEN ARE YOU GOING TO PROVIDE ME SECURITY BULLETINS, YOU PROMISE THAT IF YOU KNOW OF SOMETHING BEING EXPLOITED YOU'LL TELL ME ABOUT IT. WHAT TYPE OF ANALYSES DO YOU DO WHEN THEY'RE REPORTED TO YOU. AND THAT'S WHERE I THINK A LOT — IT IS VERY EASY TO GET INTO THAT INDIVIDUAL MINDSET OF, I'M JUST ONE PERSON, I'M JUST

ONE COMPANY, BUT WHEN YOU'RE PAYING PEOPLE TO DO STUFF, SUDDENLY IT BECOMES MUCH MORE POWERFUL TO START ASKING AND SORT OF DEMANDING SOME ANSWERS. AND WHEN LOTS AND LOTS OF, YOU KNOW, INDIVIDUAL COMPANIES START DOING THIS, THEN THAT BECOMES THIS WAVE OF OH, WE NEED TO START DOING THIS IF WE WANT TO KEEP MAKING MONEY. AND SELLING OUR PRODUCTS TO FOLKS. >> YEAH. THERE ARE AN INCREASING NUMBER OF PRIVACY PROTECTING TECHNOLOGIES THAT ARE OUT THERE. LIKE I'M ON THE BOARD OF LET'S ENCRYPT, THE CERTIFICATE AUTHORITY, ONE OF OUR PROJECTS IS PART OF THE INTERNET SECURITY RESEARCH GROUP IS PRODUCT DIVVY UP, WHICH IS DESIGNED TO TRY TO DO ANALYSIS ON DATA WITHOUT IT ALL BEING, LIKE, AGGREGATED AND IDENTIFIED. SO YOU NEED TO THINK ABOUT AND LOOK FOR THAT AND KIND OF BUILD SECURITY AND PRIVACY AND FROM THE VERY BEGINNING AND INSTEAD OF THINKING ABOUT IT AS AN AFTERMATH AND I WOULD SAY THE SAME THING ABOUT LAW. IF YOU HAVE DATA, PEOPLE ARE

GOING TO TRY TO COME AND GET IT AND YOU NEED A ROBUST PROCESS IN PLACE FOR WHEN THOSE GOVERNMENT DEMANDS COME IN. >> WE HAVE A FEW MINUTES LEFT. ONE WHAT MORE CAN WE DO ON AN INDIVIDUAL LEVEL, ESPECIALLY HERE IN THE U.S.? THERE ARE LAWS IN CONGRESS AIMING TO TACKLE SOME OF THE DATA BROKERAGE ISSUES. BUT WHAT MORE CAN WE DO? >> HAVE A LEGAL PERSPECTIVE, CALL YOUR CONGRESS PERSON. BOTH AT THE FEDERAL LEVEL. THERE IS A BILL CALLED THE FOURTH AMENDMENT IS NOT FOR SALE ACT THAT WOULD DEAL WITH DATA BROKERS. THERE IS A COUPLE OF TRANSPARENCY BILLS OUT THERE ABOUT DATA REQUESTS AND AT THE STATE LEVEL, WE'RE SEEING REAL PROGRESS IN TERMS OF LEGISLATION, ESPECIALLY HERE IN CALIFORNIA, BUT ALSO IN NEW YORK. AND THERE IS JUST A REAL, LIKE, ENTHUSIASM FOR STATES PASSING MORE PRIVACY LAWS BECAUSE OF DOBBS. >> WHAT MORE CAN WE DO ON AN INDIVIDUAL LEVEL HERE IN THE U.S.?

>> WELL, I DON'T KNOW ALL THE LEGAL, SO FOR ME — FROM MY PERSPECTIVE ON A TECHNICAL IS INDIVIDUAL LEVEL PROTECT YOURSELF OF APPLY PATCHES AS SOON AS THEY'RE AVAILABLE. A LOT OF SYSTEMS NOW HAVE AUTO UPDATE BECAUSE THAT REALLY IS WHAT PROTECTS YOU FROM THE MASS EXPLOITATION. BECAUSE AS SOON AS THOSE VULNERABILITIES ARE OUT THERE IN A PATCH, THERE ARE THOUSANDS OF PEOPLE AROUND THE WORLD DOING WHAT IS CALLED PATCH DIPPING TO FIGURE OUT WHAT IS THE VULNERABILITY AND HOW DO I EXPLOIT IT BECAUSE THAT'S MUCH EASIER THAN THE ZERO DAYS. AND SO WHILE YOU MIGHT NOT BE A TARGET OF THE STATE SPONSORED ACTORS, THE NONSTATE SPONSORED ACTORS THAT THERE IS A WHOLE LOT MORE OF ARE LOOKING TO GET ANYONE THEY CAN. SO APPLYING THE UPDATES IS PROBABLY THE BIGGEST WAY TO PROTECT YOURSELF. >> AND, SURVEILLANCE ISN'T JUST A U.S. THING. I ALSO JUST WANT TO KIND OF END ON A BRIGHTER NOTE, WE HAVE A MINUTE LEFT ON THE CLOCK, IN TERMS OF STARTUPS THAT ARE DOING

THINGS, YOU MENTIONED LET'S ENCRYPT IS A NONPROFIT THAT GIVES OUT CERTIFICATES, ARE THERE ANY OTHER STARTUPS THAT ARE DOING GOOD THINGS AT THE MOMENT THAT YOU CAN SHARE WITH THE AUDIENCE? LET'S ENCRYPT IS GOOD TO BE FAIR. >> I'M ON THE BOARD. I'M FAMILIAR WITH ISRG'S PRODUCTS. WE ALSO HAVE PROJECT PROSIMO, ABOUT PUTTING CODE LIBRARIES AND PUT THEM IN A MORE SECURE PROGRAMMING LANGUAGE. I AM ON THE BOARD. REALLY AWESOME ORGANIZATION. WE'RE DOING SOME REALLY CUTTING EDGE THINGS. >> YEAH. >> SORRY TO PUT YOU ON THE SPOT. SO SORRY. >> YOU KNOW EVERYBODY IN THE AUDIENCE ARE THE ONES WHO ARE GOING TO BE DOING REALLY AWESOME THINGS AFTER HAVING LISTENED TO THIS PANEL. >> THAT'S THE REAL HOPE. I HOPE YOU FOLKS WEREN'T SCARED TOO MUCH. THANK YOU FOR JOINING US. THANK YOU, AGAIN. MADD